Description
HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)
Published: 2026-06-05
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

HelloTalk versions through 3.4.1 inappropriately store full‑precision GPS coordinates even when the user has chosen only a country or city for sharing. The coordinates are written to a client‑side database that other users of the app can access. This results in a confidentiality breach, exposing precise location data beyond the intended granularity and enabling tracking or profiling. The vulnerability is consistent with an encryption weakness that fails to protect sensitive data, as described by CWE‑359.

Affected Systems

All users running HelloTalk version 3.4.1 or earlier on any supported platform are affected. The issue manifests regardless of operating system or device type, as the client side database is shared across users on the same device.

Risk and Exploitability

The moderate CVSS score of 5.3 indicates a medium severity scenario. Because no EPSS score is available and the flaw is not in the CISA KEV catalog, the exploitation likelihood is considered moderate. An attacker only needs to be a user of the application; with normal app activity or direct interaction with another user, the attacker can read the client‑side database and obtain another user's exact coordinates. No elevated privileges or additional exploitation steps are required.

Generated by OpenCVE AI on June 5, 2026 at 16:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest HelloTalk release, which removes the exposure and encrypts stored coordinates properly.
  • If an update is not possible, reduce location sharing granularity within the app settings to the lowest permissible level and confirm that full‑precision data is no longer recorded.
  • If the app offers no granular control, uninstall the application and reinstall a fresh copy, ensuring that any existing client database is cleared, or contact HelloTalk support for assistance with a temporary workaround until a patch is available.

Generated by OpenCVE AI on June 5, 2026 at 16:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://isopach.dev/CVE-2020-25900/ cve-icon cve-icon
History

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Hellotalk
Hellotalk hellotalk
Vendors & Products Hellotalk
Hellotalk hellotalk

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Excessive GPS Precision Disclosure in HelloTalk

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description HelloTalk through 3.4.1 stores full-precision GPS coordinates even when the user had intended to share only a country or city. Furthermore, these coordinates are placed into a database on the client of other users. (The client side was changed in 2019 to encrypt that database.)
Weaknesses CWE-359
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Hellotalk Hellotalk
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-05T20:12:16.175Z

Reserved: 2020-09-24T00:00:00.000Z

Link: CVE-2020-25900

cve-icon Vulnrichment

Updated: 2026-06-05T20:12:13.452Z

cve-icon NVD

Status : Deferred

Published: 2026-06-05T15:16:39.230

Modified: 2026-06-05T16:04:48.437

Link: CVE-2020-25900

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:18:24Z

Weaknesses
  • CWE-359

    Exposure of Private Personal Information to an Unauthorized Actor